[cabfcert_policy] Discussion about making L/ST Optional in some Countries

Dimitris Zacharopoulos jimmy at it.auth.gr
Fri Feb 5 04:42:23 MST 2016 

On 28/1/2016 7:07 μμ, Ben Wilson wrote:
>
> Good question – it sounds like that  is another exception that we  
> should add/consider.
>

This is indeed a very interesting proposal. In HARICA, most of our 
"clients" are members of the Academic and Research Community. I suppose 
that there is no way to establish a business in the entire country that 
would use the same DBA name of a University. There can only be one such 
name in the entire country. Adding Locality or State for such entities 
doesn't provide any additional security.

Best Regards,
Dimitris


> *From:*Brown, Wendy (10421) [mailto:wendy.brown at protiviti.com]
> *Sent:* Thursday, January 28, 2016 9:58 AM
> *To:* Ben Wilson <ben.wilson at digicert.com>; Dimitris Zacharopoulos 
> <jimmy at it.auth.gr>; policyreview at cabforum.org
> *Subject:* RE: [cabfcert_policy] Discussion about making L/ST Optional 
> in some Countries
>
> Just as a question, if the organizationName is a national entity say a 
> government agency where a specific locality  or state or Province 
> would just be misleading are one of these 2 still required?
>
> Thanks – sorry to have missed today’s call.
>
> Wendy
>
> Wendy Brown
>
> FPKIMA Technical Liaison
>
> Protiviti Government Services
>
> 703-299-4705 (office)    703-965-2990 (cell)
>
> wendy.brown at gsa.gov <mailto:wendy.brown at gsa.gov>
>
> wendy.brown at protiviti.com <mailto:wendy.brown at protiviti.com>
>
> *From:*policyreview-bounces at cabforum.org 
> <mailto:policyreview-bounces at cabforum.org> 
> [mailto:policyreview-bounces at cabforum.org] *On Behalf Of *Ben Wilson
> *Sent:* Thursday, January 28, 2016 11:45 AM
> *To:* Dimitris Zacharopoulos <jimmy at it.auth.gr 
> <mailto:jimmy at it.auth.gr>>; policyreview at cabforum.org 
> <mailto:policyreview at cabforum.org>
> *Subject:* Re: [cabfcert_policy] Discussion about making L/ST Optional 
> in some Countries
>
> I’ve added another comment:
>
> We could amend subsections 7.1.4.2.2d/e to say:
>
> d.      Certificate Field: subject:localityName (OID: 2.5.4.7)
>
> Required if the subject:organizationName field is present and the 
> subject:stateOrProvinceName field is absent.
>
> Optional if: (a) the subject:organizationName and 
> subject:stateOrProvinceName fields are present, or (b) if the country 
> name provided under subsection g. is Taiwan (TW), Singapore (SG), etc..
>
> e.      Certificate Field: subject:stateOrProvinceName (OID: 2.5.4.8)
>
> Required if the subject:organizationName field is present and 
> subject:localityName field is absent.
>
> Optional if: (a) subject:organizationName and subject:localityName 
> fields are present, or (b) if the country name provided under 
> subsection g. is Taiwan (TW), Singapore (SG), etc..
>
> *From:*policyreview-bounces at cabforum.org 
> <mailto:policyreview-bounces at cabforum.org> 
> [mailto:policyreview-bounces at cabforum.org] *On Behalf Of *Dimitris 
> Zacharopoulos
> *Sent:* Thursday, January 28, 2016 9:34 AM
> *To:* policyreview at cabforum.org <mailto:policyreview at cabforum.org>
> *Subject:* [cabfcert_policy] Discussion about making L/ST Optional in 
> some Countries
>
> Dear members of the policyreview WG,
>
> At today's call, among other issues, we discussed bug 2 
> <https://bugzilla.cabforum.org/show_bug.cgi?id=2> which talks about 
> making the "Locality/ST" field optional in some very special cases. We 
> discussed about creating an exception list which should be displayed 
> in-line in section 7.1.4.2.2 d and e.
> The idea is to draft a language for this exception similar to this:
>
> (original text from BR version 1.3.1, section 7.1.4.2.2d)
> "*Optional* if the subject:organizationName and 
> subject:stateOrProvinceName fields are present. "
>
> (Proposed new language)
> "*Optional* if thesubject:organizationName and 
> subject:stateOrProvinceName fields are present or if the Country is 
> Taiwan, Singapore, .... "
>
> This type of exception has been accepted in the past (for example in 
> the EV guidelines) by the CA/B Forum.
>
> Some questions came up about how are we going to add a country to the 
> exception list and under what procedure. Perhaps a ballot would be 
> efficient.
> For those that don't have access to the bugzilla system, you are able 
> to create your own account and access is granted automatically.
>
> I have attached the bug's comments below for your convenience.
>
>
> Best Regards,
> Dimitris Zacharopoulos.
>
>
> --- BEGIN Comments from Bug 2 ---
>
> Gervase Markham 2014-09-17 19:46:43 MST
>
> Some jurisdictions don't have a meaningful value to put here. We 
> should make this field optional.
>
> Erwann Abalea 2014-09-23 04:59:08 MST
>
> Could someone provide a list of countries (as defined by BR) for which 
> there's no state/province AND no locality?
>
> Gervase Markham 2014-09-23 05:08:56 MST
>
> There was a discussion of this issue, led by TWCA (I think) in 
> Beijing. We should probably get the minutes of that before going any 
> further. I think it came down to defining exactly what the address in 
> the cert _means_ - is it "where the entity is incorporated", or "where 
> the entity can be found". For the former, the issue covered by this 
> bug is a problem because inserting a Locality can be misleading. For 
> the latter, it's not a problem.
>
> Gerv
>
> ben.wilson at digicert.com <mailto:ben.wilson at digicert.com> 2014-10-29 
> 15:41:49 MST
>
> Presentation of Li-Chun Chen on Locality in Subject DNs
>
> When I review Li-Chun's presentation, I am confused because I was 
> thinking that it was best to have one or the other "S" or "L" or both 
> State and Locality and omit one only if the other is provided.  His 
> proposal wants "L" optional if State/Province is absent, etc.  As I 
> recall when we were discussing this in Beijing, we focused on the 
> ability to identify the physical location for the subject with the DN 
> and not so much the X.500 name uniqueness (for company registration).  
> But the presentation does have a point on eliminating the requirement 
> for very small countries like Singapore, etc.  I'm not sure whether 
> inserting country-specific exceptions into section 9.2.4 is a 
> solution, but maybe it's a possibility.
>
> Dimitris Zacharopoulos 2016-01-14 07:49:20 MST
>
> I suppose the original idea behind the Locality/State was that a 
> Company/Organization could use the same Name within a specific region 
> of the Country. This means that there could be a Company named 
> "Example Co" in one city and a different "Example Co" in another city, 
> and so on.
>
> There are some countries that have a centralized registry for 
> commercial companies which means that company names are "unique" in 
> the entire country. Perhaps this is the case in Singapore.
>
> The BR could address this issue in Section 7.1.4.2.2d/e and provide an 
> exception for these cases. However, the CA's qualified auditors should 
> verify that there is a single company naming registry in the entire 
> country which forces uniqueness of company names. The Root programs 
> could request a letter from the CA's auditors to verify this situation 
> that would enable the exception.
>
> --- END Comments from Bug 2 ---
>
> NOTICE: Protiviti is a global consulting and internal audit firm 
> composed of experts specializing in risk and advisory services. 
> Protiviti is not licensed or registered as a public accounting firm 
> and does not issue opinions on financial statements or offer 
> attestation services. This electronic mail message is intended 
> exclusively for the individual or entity to which it is addressed. 
> This message, together with any attachment, may contain confidential 
> and privileged information. Any views, opinions or conclusions 
> expressed in this message are those of the individual sender and do 
> not necessarily reflect the views of Protiviti Inc. or its affiliates. 
> Any unauthorized review, use, printing, copying, retention, disclosure 
> or distribution is strictly prohibited. If you have received this 
> message in error, please immediately advise the sender by reply email 
> message to the sender and delete all copies of this message. Thank you.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20160205/2bb4c0d9/attachment-0001.html

More information about the Policyreview mailing list